Aptus Health’s Approach to GDPR Preparedness

Online data has the potential to offer great value to consumers; it also requires careful management to ensure its protection
from unauthorized use. By creating the General Data Protection Regulation (GDPR), the EU has made a bold new commitment
to maintaining privacy on user’s personal data, especially in the face of advancements in technology and globalization.

As a global digital marketing organization focused on delivering high-value content to healthcare professionals, Aptus Health
has always striven to be as transparent as possible with our user community. This philosophy has helped us build trusted
relationships with our audience. Our efforts to comply with the GDPR underscores our commitment to ensuring data protection
and thus, greater value to the people we serve.

Read on to learn how Aptus Health has addressed the new Regulation and is prepared for its enforcement.

Aptus Health GDPR Preparation

What is GDPR?

The
EU General Data Protection Regulation (“GDPR”) comes into force on 25th May 2018 and brings with it the most significant changes to data protection law in decades.
GDPR builds on the 1995 Data Protection Directive and modernizes data regulation to reflect technical evolutions over
the past 25 years and how businesses use and collect data today.

Whilst the Directive was implemented in each state of the European Union, GDPR will apply directly in all EU states, driving
consistency and harmonization across the EU. GDPR provides new and stringent safeguards for personal data. Designed to
strengthen individuals’ rights and create better transparency and control, it will ensure data subjects are better informed
and have greater control over their personal data. It also requires new controls to protect against data breaches, and
to ensure that companies build strong data privacy and security into every aspect of their business, workplace, and products.

What is Aptus Health’s approach to Data Protection?

Aptus Health believes that the privacy, security, accuracy and integrity of personal data is a fundamental right and has
always made privacy and data protection a central part of our business. We embrace the principles of GDPR and recognize
that the regulation will continue to drive us towards the highest standards in protecting data.

At Aptus Health, we already deploy a comprehensive and effective data protection program. However, we recognise our responsibility
to update and expand our program and have taken necessary steps to meet the demands of the GDPR. For more than a year,
we have undertaken an extensive GDPR compliance program, not only because the regulation requires it, but because building
GDPR safeguards into everything we do is a key part of our commitment to our customers, network of healthcare professionals,
and consumers. Privacy by default and design has always been part of our corporate DNA.

Third-party tools and marketing technology providers (i.e., marketing automation platforms, CRMs, etc.) are integrated into
our operations and data ecosystem. Therefore, in addition to our own preparation, we have taken measures to confirm that
our partners share our commitment to GDPR compliance.

How Have We Prepared to Meet the Requirements of GDPR?

Prior to GDPR, Aptus Health already had robust programs in place addressing the importance of privacy, data protection, and security across our organization. We have subsequently implemented strong new and/or updated existing privacy and data protection programs and processes to ensure that we are ready to meet GDPR requirements.

Our preparation includes the following:

Employee Awareness and Training: It is vital that Aptus Health foster continuous employee awareness and understanding
to be compliant with GDPR requirements. All of our employees—including those who work outside the EU—have been involved
in preparation for GDPR and have completed mandatory general awareness training, reviewed and signed off on the GDPR
policies.

Records of Processing: We have created a Processing Register and Data Inventory to identify which of our business
processes use personal information, why the personal data is being processed, if and to whom it is disclosed, what
the lawful basis of processing is, and where it is stored and transferred. We plan to continuously update these records
and maintain them for accountability purposes.

Policies & Procedures: We have implemented new and revised existing privacy and data protection policies
and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including
the following GDPR policies:

Compliance Overview Policy

Roles and Responsibilities Policy

Lawfulness of Processing Policy

Rights of the Data Subject Policy

Data Subject Rights Information Notices Policy

Records of Processing Policy

Security of Processing Policy

Data Protection by Design/Default Policy

Cross Border Transfer Policy

Data Breach Policy

Sanctions, Penalties, and Fines Policy

Governance Policy Procedures/Plans

GDPR Privacy/Security Incident Management Plan/Data Breach Procedures: We have updated our existing privacy and security incident management procedures, including adding GDPR breach
requirements to help ensure we are able to meet deadlines for reporting data breaches.

International Data Transfers & Third-Party Disclosures:
Where Aptus Health stores or transfers personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. Our procedures include a continual review of the countries with sufficient adequacy decisions, as well as provisions for
standard data protection clauses for those countries considered not to have sufficient privacy
protections in place, and Privacy Shield certification (for transfers to the United States).We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.

Data Subject Access Request (DSAR):We have revised our procedures to accommodate the revised 30-day timeframe for providing requested information. Our new procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply and response templates to ensure that communications with data subjects are compliant, consistent and adequate.

New System Development Life Cycle Processes: We have developed organizational procedures for embedding appropriate privacy protective measures in applications, services, and/or products that are being newly developed or changed. The above measures support the protection of the data subject’s privacy and safeguard their personal data. These measures are implemented during the entire lifecycle of the processing of the personal data. Where applicable, we intend to ensure the most restrictive privacy settings are turned on by default.

Data Protection Impact Assessments (DPIA):We have developed robust procedures including assessment templates for carrying out data protection impact assessments that align with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).

Legal Basis for Processing: We reviewed all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity to which it relates. We maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.

Privacy Notice/Policy: As part of our commitment to privacy, to transparency, and in compliance with GDPR, we updated our Privacy Notices, ensuring that individuals whose personal data may be processed by Aptus Health (eg., users, clients, and employees) have even more clarity and transparency on how personal data is used, what their rights are, to whom the information is disclosed, and what safeguarding measures are in place to protect their information.

Obtaining Consent: In circumstances here we rely on individuals’ consent to process their personal data, we have assessed and updated our consent mechanisms where needed, ensuring that consent given by individuals meets the requirements of GDPR and are freely given, specific, informed, and unambiguous. We also developed strong opt-out mechanisms to ensure that individuals have a simple and easily accessible way to withdraw their consent at any time.

How do we ensure that our Vendors/Processors meet their GDPR obligations?

Processor (Vendor/Partner) Compliance Assessments - To ensure that third-party vendors and partners that we use to process personal information on our behalf (i.e. Hosting, Analytics, Payroll, Recruitment) meet and understand their GDPR obligations, we have implemented a Third-Party Vendor Compliance Assessment process. This process includes the evaluation of General Compliance, Privacy, Security, and Quality controls they have in place related to the services the vendor/processor provides to us.

Special Categories Data – Aptus Health’s commercial activities do not involve the collection of special categories of personal data. If and when Aptus Health may need to collect and process special categories of personal data, Aptus Health will do so in compliance with the requirements of Article 9 of GDPR.

International data transfers – Aptus Health is a company that operates at a global level with suppliers, clients and subsidiaries outside of the European Economic Area (EEA). Aptus Health only transfers personal data or allows it to be processed by third parties outside of the EEA when the requirements of GDPR are met and when appropriate safeguards are in place to ensure an adequate level of protection. Aptus Health has entered into standard contractual clauses with its affiliates located outside the EEA. Aptus Health complies with the principles of the EU-U.S. Privacy Shield and the Swiss-US Privacy Shield Frameworks in relation to transfers to the US. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov. To review Aptus Health’s Privacy Shield Policy, please visit https://aptushealth.com/privacy-shield. Aptus Health
also screens third parties’ suppliers and business partners and reviews, implements and documents
safeguards before cross-border transfers on a systematic basis. Aptus Health has previously certified
to the Safe Harbor.

Data Subject Rights

Aptus Health has processes in place to ensure that individuals can enforce their data protection rights. These include the following rights to:

Access and rectification

Transparency and basic information

Data portability

Erasure

Restriction of processing

Withdraw consent

Object to processing

To ensure individuals can enforce their data protection rights, we provide them with detailed information on how to exercise their rights.

What Technical and Organizational Measures Are In Place?

We have robust information security policies, procedures and controls (both organizational and technical) in place to protect personal information from unauthorized access, alteration, disclosure or destruction, and have implemented several layers of security measures based upon the assessed risk of the personal data to which we have been entrusted.

GOVERNANCE

Governance Team

Aptus Health has appointed a GDPR Governance Committee with the primary responsibility of guiding the company in meeting all GDPR accountability requirements. This team, which includes senior management, is responsible for assisting Aptus Health in its role as a data controller and/or data processor, especially those associated with GDPR accountability requirements.

These accountability measures include, but are not limited to, activities such as:

Creating formal procedures to ensure that personal data breaches are addressed appropriately and in a timely manner

Appointing a Data Protection Officer (DPO)

Data Protection Officer (DPO)

We have designated Soline Gassmann as our Data Protection Officer (DPO) and have appointed a data privacy team that has developed and implemented our roadmap for compliance with the new data protection regulation.

If you have any questions about our preparation for the GDPR, please contact our Data Protection Officer (DPO) by emailing DPO@aptushealth.com